Extracted

Extracted

• • Target

    fbae53e539c388e11c4f330ba6e2010f_JaffaCakes118

  • Size

    2.0MB

  • MD5

    fbae53e539c388e11c4f330ba6e2010f

  • SHA1

    2d16711a395bd0f27756fab2f4f744a4f3a9f4c4

  • SHA256

    d70954b2e608f3d2f4561364035d3c4958743a668db083f21a7b216a820ca539

  • SHA512

    b0ff9c987c836da8ac5df7dda796bd70509112e25fa3cd1eda895964b15ad211eecc159c9910925a4f001cec2d691c42c542c922660a3149393d05eb398c4e54

  • SSDEEP

    24576:X0a/3paargPZtr1msdlDTtcSqxSrj8X27aBRmFMA9MxlCZ/W5DUulT777fcS:h3p9gLrIydqxy8Xf/m+Auxuy577

  Score

  10^/10

  mercurialgrabbernjratzgratratstealertrojancleanevasionpersistencespyware

  • Detect ZGRat V1

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  behavioral1behavioral2